pfSense

When scrub is enabled, a set of valid fragments can be re-fragmented improperly by scrub when exiting the firewall. Without scrub enabled, the packets are forwarded properly.

A patch for this has already been imported into 2.4, this report is for documentation purposes.

I originally reproduced the reported problem by crafting packets with Scapy, using packets from a submitted capture file as a template. The packets are two fragments of a single TCP SYN.

With scrub disabled:

• First packet is 8 bytes, marked as bytes 0-7
• Second packet is 12 bytes, marked as bytes 8-19

With scrub enabled:

• First packet is 12 bytes, marked as bytes 0-11
• Second packet is 8 bytes, marked as bytes 8-15

The same problem is present on stock FreeBSD 11 using pf with scrub.

kp@freebsd.org committed a fix to FreeBSD , which Renato imported into 2.4 snapshots and I tested afterward.

The new behavior is valid. The receiver now sees three non-overlapping fragments (8b, 8b, 4b) because the fragment reassembly code re-fragments along the size of the largest fragment, rounded down to the nearest 8-byte multiple. This is done to ensure the firewall does not break PMTUD.